Identity Veracity – the concept of not only does the identity exist – but who manages, what access the identity has and what groups that user belongs to is crucial to managing a secure enterprise. To meet these identity objectives, organizations will want to adhere to these 5 best practices for Identity Veracity.
In 2020, businesses were plagued with cybersecurity threats and reported nearly 4,000 data breaches that exposed millions of records. Throughout March 2020 alone, online scams increased by 400%, many of which led to issues such as ransomware and other security threats. In 2021, workers are slowly returning to the office with office visits reaching 26.1% of pre-pandemic levels towards the end of April.
1) Establish Accountability
Many organizations lack processes in place that define who approves access requests and when. Leaving these roles undefined creates significant compliance and risk issues, leaving no visibility for when audits are required. Instead, enterprises should develop procedures for when access is requested. YouAttest makes this easy through Access Request Approvals with a solution that meets industry and audit standards to ensure that access approvals are logged and auditable.
Image #1: Knowing who has access to what – is imperative to Identity Veracity. Access Reviews are a big part to reach this goal. ( 5 Best Practices for Identity Veracity )
2) Role-Based Access Controls
Organizations can simplify IGA and Identity Access Management (IAM) by employing role-based access controls (RBAC). With this practice in place, certain role types are assigned specific access capabilities based on the duties associated with the roles. This ensures that users are only granted the least privilege required. The principle of least privilege is considered a best practice by NIST standards, outlined in the Cybersecurity Framework that compliments numerous regulations like HIPAA and SOX.
3) Review Access Changes
When users request access to certain groups or resources, organizations should ensure that the user is authorized to gain the access they’re requesting. This is especially important when considering administrative and other privileged accounts. Through YouAttest, key enterprise members are alerted each time a request is made, ensuring that they attest to the changes and create an auditable log in real-time so that access only occurs after the user has been approved. This maintains the least privilege, ensuring users do not have more access than their roles require.
4) Get Updates in Real-Time
Cybersecurity threats are constantly evolving and can change minute to minute. To stay ahead of potential threats, enterprises should turn to an IGA program that enables real-time alerts when users are requesting or attempting to change access permissions. The response time when changes are made can be the difference between containing the attempts of a bad actor and responding to an all-out data breach that compromises the files of thousands or even millions of accounts. YouAttest allows users to receive notifications of access requests as they occur, requiring authorized users to either confirm or deny the request.
5) Regularly Scheduled Access Reviews
Access reviews are recommended by most frameworks including NIST CyberSecurity Framework, SP 800-53 rev 5, PR-AC-1. Access reviews are required in regulations such as HIPAA, HITRUST, SOX, SOC, PCI-DSS and ISO 27001. Often they are required annually or bi-annually but best practice is considered quarterly.
The manner the access review is conducted is important to the quality and veracity of the process. For most organizations the process is manual w/ with XLS spreadsheets and massive emails criss-crossing the organization. This process is fraught with errors and produces questionable results. The biggest loss here is lack of accountability. The access review process must be conducted by the immediate supervisor or manager who knows who should have access to what. In a manual review this delegation and certainty of accountability is impossible.
YouAttest not only allows manual delegation to the proper manager – but also has auto-delegation to insure the proper manager reviews user access.
—
YouAttest is an automated identity audit tool for Okta, AD and other resources. Cloud based and simple to use – YouAttest provides a quantified platform for your identity audits. Schedule an appointment with a YouAttest identity audit professional.
